The purpose of this article is to detail the research that I have completed regarding the Western Digital MyCloud family of devices.

Several serious security issues were uncovered during my research. Vulnerabilities such as pre auth remote root code execution, as well as a hardcoded backdoor admin account which can NOT be changed. The backdoor also allows for pre auth remote root code execution on the affected device.

The research was conducted on both a WDMyCloud 4TB and a WDMyCloudMirror16TB with the latest available firmware 2.30.165. My research shows thatthe 04 branch of the WDMyCloud firmware is not vulnerable to these issues.

--[ 00.1 - Background

WD My Cloud is a personal cloud storage unit to organize your photos and videos. It is currently the best selling NAS (network attached storage)device listed on the amazon.com website, and is used by individuals andbusinesses alike. It's purpose is to host your files, and it also has theability to sync them with various cloud and web based services.

--[ 01 - Unrestricted file upload

The WDMyCloud device is vulnerable to an unrestricted file upload vulnerability within the following file:

/usr/local/modules/web/pages/jquery/uploader/multi_uploadify.php

The root of the problem here is due to the misuse and misunderstanding ofthe PHP gethostbyaddr() function used within PHP, by the developer of this particular piece of code. From the PHP manual this functions return values are defined as the following for gethostbyaddr():

"Returns the host name on success, the unmodified ip_address on failure, or FALSE on malformed input."

With a brief overview of the problem, let's have a look at the offending code in order to get a better understanding of what is going on with this particular vulnerability.

--[ 01.1 - Vulnerable code analysis

Below is the code from the vulnerable "multi_uploadify.php" script. You cansee that I have annoted the code to explain what is happening.

#BUG 01: Here the attacker controlled "Host" header is used to define the remote auth server. This is by itself really bad, as an attacker couldeasily just specify that the host be the IP address of a server that theyare in control of. But, if we send it an invalid "Host" header it will justsimply return FALSE as defined in the PHP manual.

#BUG 04: The strncmp() call here is a strange one. It looks for a specificlogin failure. So, it never accounts for when things go wrong or slightlyunexpected. As a result this "if" statement will always be skipped.

#BUG 05: At this point all checks have been passed, and an attacker can usethis issue to upload any file to the server that they want.

The rest of the source code was omitted for the sake of breivity, but it just handles the file upload logic once the user passes the authenticationchecks.

--[ 01.2 - Remote exploitation

Exploiting this issue to gain a remote shell as root is a rather trivialprocess. All an attacker has to do is send a post request that contains a file to upload using the parameter "Filedata[0]", a location for the file to be upload to which is specified within the "folder" parameter, and of course a bogus "Host" header.

I have written a Metasploit module to exploit this issue. The module willuse this vulnerability to upload a PHP webshell to the "/var/www/"directory. Once uploaded, the webshell can be executed by requesting a URIpointing to the backdoor, and thus triggering the payload.

--[ 02 - Hard coded backdoor

After finding the previously mentioned file upload vulnerability I decidedto switch gears and start reversing the CGI binaries that were accessablevia the web interface. The CGI binaries are standard Linux ELF executablesand pretty easy to go through. Within an hour of starting I stumbled across the following file located at:

/usr/local/modules/cgi/nas_sharing.cgi

The above file can be accessed by visiting "/cgi-bin/nas_sharing.cgi" but it produces server errors with every single method, except when the "cmd"parameter was set to "7". This piqued my interest and so I really starteddigging into the binary, as it seemed very buggy and possibly vulnerable.

As it turns out the error was caused due to buggy code and nothing I was or wasn't doing wrong. But, while I was figuring out the cause of the error I happened to come across the following function that is used to authenticate the remote user.

--[ 02.1 - Vulnerable code analysis

Below is the psuedocode created from the disassembly of the binary. I haverenamed the function to "re_BACKDOOR" to visually identify it more easily.

As you can see in the above code, the login functionality specificallylooks for an admin user named "mydlinkBRionyg" and will accept the passwordof "abc12345cba" if found. This is a classic backdoor. Simply login with the credentials that I just mentioned from the above code.

Also, it is peculiar that the username is "mydlinkBRionyg", and that the vulnerability in Section 1 of this paper refers to a non existent file nameof "mydlink.cgi" but, more about that later in section 4...

--[ 02.2 - Remote exploitation

At first, to the untrained eye, exploiting this backdoor to do usefulthings may seem problematic due to the fact that only method "7" gives usno error. And, method 7 only allows us the ability to download any files in "/mnt/", but no root shell. But, we want a root shell. Right?

After digging deeper I realized that the CGI script was dying every time, but only at the final rendering phase due to what seems like an error where the programmer forgot to specify the content type header on output, thus confusing the webserver and causing the crash. So, everything we do gets executed up until that point successfully. It is just blind execution.

Now that I had that figured out I started looking for a method I could thenexploit to gain shell access. I started with method "51" because it was the first one I looked at. This particular method happened to contain a command injection issue. Now I easily could turn this backdoor into a root shell, and gain control of the affected device.

GET /cgi-bin/nas_sharing.cgi?dbg=1&cmd=51&user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&start=1&count=1;touch+/tmp/gulftech; HTTP/1.1

By sending a request like the one above a remote attacker could now executeany commands as root. And yes, the password is base64 encoded, as that iswhat the script expects. In the example above I simply create a file called "gulftech" located in the "/tmp/" directory.

The triviality of exploiting this issues makes it very dangerous, and evenwormable. Not only that, but users locked to a LAN are not safe either. Anattacker could literally take over your WDMyCloud by just having you visita website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames forthe WDMyCloud such as "wdmycloud" and "wdmycloudmirror" etc.

For example simply visiting the above link will totally destroy a WDMyCloudwithout the need for any type of authentication whatsoever, and there is nothing you can do about it except delete the file as the credentials are hardcoded into the binary itself.

--[ 03 - Miscellaneous vulnerabilities

In addition to the two previously mentioned critical vulnerabilities werealso several other issues. These other issues are still very dangerous, butrequire authentication in some cases, and for the most part are not considered as critical, and also require less technical explanation.

--[ 03.1 - Cross site request forgery

There is no real XSRF protection within the WDMyCloud web interface. Thiscan have quite the impact on unsuspecting users. Exploitation of this issue is trivial.

http://wdmycloud/web/dsdk/DsdkProxy.php?;rm -rf /;

For example, if a logged in WDMyCloud admin visits, or is forced to visitthe above link, then the entire device will be wiped out. This is just oneof many XSRF issues. We do not have time to track them all down.

--[ 03.2 - Command injection

Some time ago, a researcher from the "Exploiteers" team found an alarmingnumber of command injection issues within the WDMyCloud. Unfortunately, we were able to find quite a few as well.

The above code is an example of the type of command injection issues thatstill plague the WDMyCloud. This particular command injection is post auth,as were all of the other command injections I found too. However, I did not have time to sift through looking for all of these. And by now I feel that the manufacturer should know better considering they just went through the process of patching many command injection vulnerabilities disclosed by the Exploiteers.[1]

--[ 03.3 - Denial of service

It is possible for an attacker to abuse language preferences functionalityin order to cause a DoS to the web interface. This is due to the fact thatany unauthenticated user can set the global language preferences for theentire device and all of its users. The psuedocode from the disassembled binary can be seen below.

This is not a very useful attack vector since we only have 8 bytes to work with. But, you can make a script that keeps randomly resetting the language to some random language and it will affect all users of the device and requires no authentication. It is very hard to use the device if it is rendering all of the pages in a language you can not understand.

http://wdmycloud/cgi-bin/login_mgr.cgi?cmd=cgi_language&f_language=7

The above example request sets the language to korean. There are 17 available language codes. Details can be found in language.sh located on the target device.

--[ 03.4 - Information disclosure

It is possible for an attacker to dump a list of all users, includingdetailed user information.

GET /api/2.1/rest/users? HTTP/1.1

Making a simple request to the webserver like the one above will dump theuser information to an attacker for all users. This does not require any authentication in order to take advantage of.

--[ 04 - D-Link DNS-320L ShareCenter

As I have mentioned earlier in this article, I found it peculiar that the username used for the backdoor is "mydlinkBRionyg", and that the vulnerability in Section 1 of this paper refers to a non existent file nameof "mydlink.cgi". This really piqued my curiosity, and so I started usinggoogle to try to track down some leads. After searching for the term of"mydlink.cgi" I came across a reference to a post made by a D-Link userregarding their D-Link DNS-320L ShareCenter NAS device.[2]

Within that post were references to file names and directory structure thatwere fairly unique, and from the D-link device. But, they also perfectly matched my WDMyCloud device. The more I looked into this the weirder it seemed. So, I gained access to a D-Link DNS-320L ShareCenter. Once I had it things became pretty clear to me as the D-Link DNS-320L had the same exact hard coded backdoor and same exact file upload vulnerability that was present within the WDMyCloud. So, it seems that the WDMyCloud software shares a large amount of the D-Link DNS-320L code, backdoor and all. There are also other undeniable examples such as misspelled function names and other anomalies that match up within both the WDMyCloud and the D-Link DNS-320L ShareCenter code.

It should be noted that unlike the WDMyCloud the D-Link DNS-320L is currently NOT vulnerable to the backdoor and file upload issues, so you should upgrade your DNS-320L firmware as soon as possible as the issues canbe leveraged to gain a remote root shell on the DNS-320L if you are not upto date with your device firmware. The backdoor was first removed in the 1.0.6 firmware release. (July 28, 2014)

It is interesting to think about how before D-Link updated their software two of the most popular NAS device families in the world, sold by two of the most popular tech companies in the world were both vulnerable at the same time, to the same backdoor for a while. The time frame in which both devices were vulnerable at the same time in the wild was roughly from early 2014 to later in 2014 based on comparing firmware release note dates.

--[ 05 - Credit

James BercegayGulfTech Research and Development

--[ 06 - Proof of concept

We strive to do our part to contribute to the security community.Metasploit modules for issues outlined in this paper can be found online.